[4549] in Kerberos
Re: Interoperability questions regarding the Kerberos GSS-API Mechanism
daemon@ATHENA.MIT.EDU (John Linn)
Thu Feb 2 09:40:10 1995
To: Danny.Nessett@Eng.Sun.COM (Dan Nessett)
Cc: jim@bilbo.suite.com, kerberos@MIT.EDU, cat-ietf@MIT.EDU, linn@cam.ov.com
In-Reply-To: Your message of "Wed, 01 Feb 1995 14:00:46 PST."
<199502012200.OAA05923@elrond.ss-eng.eng.sun.com>
Date: Thu, 02 Feb 1995 09:30:24 -0500
From: John Linn <linn@cam.ov.com>
Dan writes:
>Unfortunately, it is very hard to guess whether this sort of replay detection
>would be appropriate for all apps. Consequently, I am currently of the
>opinion that both GSSAPI and Kerberos should provide a way for an application
>to provide a sequence number on a seal/mk_priv and sign/mk_safe call, as
>well as return a sequence number on a unseal/rd_priv and verify/rd_safe
>call and to set up the security context so the underlying mechanism doesn't
>perform sequencing checks. This would allow the application to do its own
>replay detection and sequencing in case the underlying mechanism's method
>is inappropriate.
A desirous application is completely free to set up and manage whatever
sequencing and/or replay detection scheme it seems appropriate and
represent the corresponding sequence numbers, timestamps, or other
data elements within its tokens. Such application-managed data would
be uninterpreted by GSS-API or Kerberos; it would just be a part of
the token and doesn't need to be visible as a distinguished item at
the interface. The only conflict potential I can see would arise
if the application were layered atop a mechanism which performed its
own sequencing and/or replay detection (in a conflicting fashion)
even when the caller requested that these optional services not
be enabled for the context. RFC-1508 strongly recommends that
mechanisms honor a caller's request to disable the message stream
integrity services on a per-context basis; if mechanisms honor
this recommendation, I think a pure application-level approach,
wholly independent of GSS-API and Kerberos, should "just work" today.
--jl
